b'Security Patch Management Review\n\n(Report No. 03-035, August 21, 2003)\n\nSummary\n\nInternational Business Machines (IBM), an independent professional services firm, was engaged\nby the Office of Inspector General (OIG) to perform a vulnerability assessment of the Federal\nDeposit Insurance Corporation\xe2\x80\x99s (FDIC) network operations. The work accomplished through\nthis contract helped the OIG satisfy its Federal Information Security Management Act-related\nreporting requirements.\n\nThe objective of the review was to evaluate the policies and procedures for implementing\nsecurity patches in the FDIC\xe2\x80\x99s networked environment. The scope of the review was specifically\ndesigned to focus on the security patching process of Cisco routers and Windows servers.\n\nIBM concluded that the FDIC\xe2\x80\x99s Division of Information and Resources Management (DIRM) is\nimproving its program; however, additional work is needed to strengthen the security patch\nmanagement process.\n\nRecommendations\n\nIBM made multiple recommendations to the Acting Director, DIRM, to improve the security\npatch management process.\n\nManagement Response\n\nDIRM\xe2\x80\x99s response adequately addressed the conditions discussed in the report.\n\nThis report addresses issues associated with information security. Accordingly, we have not\nmade, nor do we intend to make, public release of the specific contents of the report.\n\x0c'